New corporate and institutional obligations to protect whistleblowers

The 2019 EU Directive imposed a requirement on Poland to implement appropriate regulations for dealing with and protecting whistleblowers. This implies new obligations for both public and private sector entities.

A new legal obligation

In accordance  with the Directive of the European Parliament and of the Council (EU) on the protection of individuals who report violations of the European Union’s law (the “whistleblower protection”), adopted on 23 October 2019, member states have two years from the date of adoption of the Directive by the European Parliament to implement a regulation on the protection of whistleblowers in their legal system.

The Directive comes as a response to the emerging problems related to the signaling of any irregularities in the functioning of enterprises in the European Union. Its scope will cover both the majority of entities in the public sector (excluding municipalities with fewer than 10 thousand inhabitants) and entities in the private sector (excluding entities with fewer than 50 employees).

For reasons stated above, the aforementioned entities will be required to:

• establish internal and external notification channels;
• work out a procedure for dealing with reports;
• provide protection to whistleblowers, ensuring their anonymity and security, and prohibiting any reprisal against them;
• keep a register of reports in accordance with confidentiality requirements.

Looking for a system for whistleblowers?

Discover Whistleblower Productive24

In the face of challenges

The main challenge for businesses will be to set up transparent channels and procedures for whistleblowing. A system for handling notifications of irregularities will have to ensure the anonymity of whistleblowers, record the complaints and meet the deadlines set out in the directive (i.e. seven days to confirm a notification and three months to obtain information about actions taken and planned). Considering that most of the solutions put forward in the Directive are unprecedented in Poland, businesses should be taking the first steps now to ensure that appropriate procedures and technological tools are provided and that an ethical organizational culture is built.

Who is a whistleblower and how are they perceived?

Whistleblower is a person who alerts (e.g. their superiors or the public) about irregularities occurring in an organization. This may be an employee of a given company, its shareholder, contractor or subcontractor. It is worth noting that the main factor that motivates whistleblowers to take action is the fact that they feel socially responsible for improving the conditions in a given organization. In Poland associations with whistleblowers have a distinctly pejorative overtone. The best-known cases of whistleblower reports come from countries where the sense of responsibility for the workplace and for justice is deeply rooted in the organizational culture, and where the sense of security is further strengthened by applicable laws. In short: people are not afraid to report what is unethical and contrary to their system of values because they can be sure to receive all possible support and not face any reprisal at the workplace.

Among the world’s most recognizable whistleblowers is Edward Snowden – a former CIA employee who revealed several hundred thousand confidential and top secret documents of the government agency NSA. Whistleblowers, however, do not only act on a massive scale exposing irregularities in powerful state institutions. The vast majority of whistleblower reports concern the operation of companies and there have been a number of such cases in Poland as well, e.g. violations of labor law by the supermarket chain Biedronka publicized by the media in 2003, or the recent GetBack scandal.

Many whistleblowers suffer negative consequences of their decision. The main reason for this may be the lack of social acceptance of their actions. According to a report by the Batory Foundation, most of those surveyed would only report irregularities as a last resort, i.e. if they concerned safety standards or threatened the life or health of employees. The main obstacles that prevent people from reporting irregularities are the fear of being recognized as a “rat,” the difficulty in proving the validity of the report and the risk of reprisals. Associations with whistleblowers are therefore often very negative. As the ACFE research shows, the role of whistleblowers in reporting irregularities is currently the most important, which means that we learn about them most frequently from whistleblowers.

Whistleblowers – benefits to the organization

Contrary to popular belief, whistleblower actions can benefit the company by enabling quick and effective detection and elimination of irregularities or embezzlement, and thus contribute to protecting the company from the harmful effects of unethical actions performed, for example,  by dishonest management. Prompt response and handling in-house notifications may also protect the company from scandals or severe financial fines. It is therefore worth taking care of altering the perception of whistleblowers by their immediate environment through building and strengthening an ethical organizational culture and providing whistleblowers with a sense of security and anonymity. This can be facilitated by building an organization based on communication and understanding, in which employees, instead of sending anonymous reports, can first talk to their superiors. It is also important to develop and implement an ethical compliance system that will ensure adherence to the law. The internal company policy developed in the process should also cover procedures for whistleblowing, including information on the channel through which irregularities can be reported.

What channel of whistleblower notifications will be most effective?

Of the many different channels for reporting misconduct that an organization can use (see table below), an independent IT application is the most effective. Dedicated software will provide whistleblowers not only with easy access to the tool and an opportunity to obtain feedback, but most importantly with the highest standards of protection of their personal data, anonymity and processing of notifications in accordance with the approved organizational policy.

Whistleblower Productive24

An effective tool for whistleblowers should be tailored and fully customized to the company’s internal policy. Whistleblower Productive24, built on the Productive24 platform, is one such solution. It enables secure reporting of irregularities in the functioning of an organization, facilitating early detection of fraud and elimination of unethical behavior of employees or managers. This solution can be a perfect tool for both the Compliance Officer and the management.

Whistleblower Productive24 features:

• Adding anonymous reports (with attachments) regarding violations and negligence in the organization.
• Standardized process of accepting and categorizing reports according to the adopted parameters and processing them in accordance with internal policies and applicable law.
• Automatic notifications to authorized stakeholders about new reports and changes to the status of the reports already in the process.
• Keeping a record of all reports with the possibility of searching, sorting and filtering them by authorized persons (the system enables registering reports from other channels (“off-line”).
• Analyzing and reporting data on reported incidents.
• Ensuring personal data security in accordance with the GDPR.
• Access anytime and anywhere (24/7) – all Whistleblower Productive24 features can be accessed via a web browser as well as through dedicated mobile apps for iOS, Android or Windows10 that work offline.

Productive24 – a tool for the Compliance Officer

The solution for whistleblowers is not the only area where the Productive24 platform supports compliance in an organization. Productive24 enables the development of any flexible business applications which, by creating one ecosystem, streamline the management of the entire organization. The solutions dedicated for this purpose provide a comprehensive tool for vertical and horizontal controlling, e.g. in the area of procurement, finance, budgetary planning and controlling (case study Danone Group), personnel project controlling (case study Lublin City Office), as well as in the areas of marketing and sales, etc.

Productive24 also serves as a tool supporting the Information Security Management System (ISMS) in such areas as:

• managing the knowledge base and repositories of procedures, instructions and regulations (knowledge management),
• managing and executing processes related to personal data processing (the GDPR system),
• processing security incident reports (cyber security ticketing).

Using the features of the LMS system, Productive24 enables the Compliance Officer to manage training sessions and conduct e-training, e.g. in the field of protection of confidential information and company secrets, rules of conduct in the event of security breaches, CSR and other internal regulations.

Effective transfer and monitoring of knowledge in any area (e.g. existing rules and procedures) may also include regular verification through:

• conducting surveys, tests and quizzes (general and specialized),
• generating obligatory e-declarations of becoming acquainted with the content of documents with a specified time limit for their submission (submission of the declaration may also be preceded by control questions or a test). If the time limit is exceeded or the declaration is not submitted, the escalation path is triggered automatically.

Another important aspect supported by the platform is risk management. The system allows for recording and assessing risks occurring in the organization, both those related to legal aspects (e.g. personal data processing) as well as ones related to the implementation of the internal company policy.

If you are interested in implementing flexible IT solutions that fully reflect and automate key processes of your organization, we invite you to contact us: